Ubuntu 16.04: Gerrit and Jenkins for code review

Table of Contents

• 1. gerrit server configuration
  • 1.1. Install gerrit package
  • 1.2. Change TCP port
  • 1.3. Use Apache2
• 2. Add admin user who can use HTTP authentication
• 3. gerrit client configuration
  • 3.1. no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
  • 3.2. Install git-review package
• 4. Create new project
• 5. Import existing repository to gerrit
• 6. Jenkins
  • 6.1. Add Verified score
  • 6.2. Add jenkins user to gerrit
  • 6.3. Jenkins’s Gerrit Trigger Plugin
  • 6.4. Excecution result

1 gerrit server configuration

Here will describe configuration for running gerrit server on Ubuntu 16.04.

1.1 Install gerrit package

Install gerrit package with apt.

$ sudo apt install -y openjdk-8-jdk$ sudo su -c ‘echo “deb mirror://mirrorlist.gerritforge.com/deb gerrit contrib” > /etc/apt/sources.list.d/gerritforge.list’$ sudo apt-key adv –keyserver keyserver.ubuntu.com –recv-keys 1871F775$ sudo apt-get update -y$ sudo apt-get install -y gerrit$ sudo systemctl enable gerrit$ sudo systemctl start gerrit

Now you can access to gerrit with below URL.

http://<server>:8080

1.2 Change TCP port

The gerrit default port is 8080. This port can be changed with following.

The domain name in canonicalWebUrl will be used for page transition. You can use IP address instead of the domain name. But these must be accessible from other machine. The domain name is set to hostname by default.

$ diff -uprN /etc/gerrit/gerrit.config{.org,}— /etc/gerrit/gerrit.config.org 2016-07-25 19:59:41.598934505 +0900+++ /etc/gerrit/gerrit.config 2016-07-25 19:59:55.114798625 +0900@@ -1,6 +1,6 @@ [gerrit] basePath = git- canonicalWebUrl = canonicalWebUrl = [database] type = h2 database = db/ReviewDB@@ -13,7 +13,7 @@ [sshd] listenAddress = *:29418 [httpd]- listenUrl = http://*:8080/+ listenUrl = http://*:8081/ [cache] directory = cache [receive]

Restart gerrit.

$ sudo systemctl restart gerrit

Now you can access to gerrit with below URL.

http://<server>:8081

1.3 Use Apache2

Apache2’s proxy_http will provides access via <server>/gerrit instead of <server>:<port>. Apache2’s auth_digest will provides authentication for accessing gerrit URL.

Make gerrit to use Apache2.

$ diff -uprN /etc/gerrit/gerrit.config{.org,}— /etc/gerrit/gerrit.config.org 2016-07-25 20:02:36.845106678 +0900+++ /etc/gerrit/gerrit.config 2016-07-25 20:03:24.788584852 +0900@@ -1,6 +1,6 @@ [gerrit] basePath = git- canonicalWebUrl = canonicalWebUrl = [database] type = h2 database = db/ReviewDB@@ -13,7 +13,7 @@ [sshd] listenAddress = *:29418 [httpd]- listenUrl = http://*:8081/+ listenUrl = proxy-http://127.0.0.1:8081/gerrit [cache] directory = cache [receive]

Restart gerrit.

$ sudo systemctl restart gerrit

Install apache2 package with apt.

$ sudo apt install -y apache2

Create Apache2 configuration.

• Use proxy_http for rewrite <server>:<port> to <server>/gerrit.
• Use auth_digest for authentication gerrit server URL.
• Use nocanon for accessing URL which has a slash like path/to/src.c.

$ sudo su -c ‘cat << EOF > /etc/apache2/mods-enabled/gerrit.confProxyPass /gerrit http://localhost:8081/gerrit nocanonProxyPassReverse /gerrit http://localhost:8081/gerrit nocanonProxyRequests Off<Proxy http://localhost:8081/gerrit> Order deny,allow Allow from all</Proxy><Location /gerrit> AuthType Digest AuthName “gerrit” AuthUserFile /etc/apache2/.htdigest Require valid-user</Location>EOF’

Create digest authentication password file.

$ sudo htdigest -c /etc/apache2/.htdigest “gerrit” hiroom2Adding password for hiroom2 in realm gerrit.New password:Re-type new password:

gerrit will use %2F instead of slash. Make AllowEncodedSlashes On in VirtualHost directive.

$ diff -uprN /etc/apache2/sites-available/000-default.conf{.org,}— /etc/apache2/sites-available/000-default.conf.org 2016-07-25 20:21:33.160757290 +0900+++ /etc/apache2/sites-available/000-default.conf 2016-07-25 20:21:52.892879066 +0900@@ -26,6 +26,8 @@ # following line enables the CGI configuration for this host only # after it has been globally disabled with “a2disconf”. #Include conf-available/serve-cgi-bin.conf++ AllowEncodedSlashes On </VirtualHost> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Enable proxy_http and auth_digest with a2enmod. Restart Apache2.

$ sudo a2enmod proxy_http auth_digest$ sudo systemctl restart apache2

2 Add admin user who can use HTTP authentication

Add admin user with following.

• Create SSH public key on gerrit client.
• Change gerrit authentication to HTTP.
• Access to gerrit server and create user.
• Change gerrit authentication to DEVELOPMENT_BECOME_ANY_ACCOUNT.
• Add user to Administrators group with Administrator user.
• Change gerrit authentication to HTTP.
• Register email via SSH.
• This user can add user belonging Administrators group without DEVELOPMENT_BECOME_ANY_ACCOUNT.

Create SSH public key on gerrit client. If you have SSH public key already, please use it.

$ ssh-keygen -t rsaGenerating public/private rsa key pair.Enter file in which to save the key (/home/hiroom2/.ssh/id_rsa):Enter passphrase (empty for no passphrase):Enter same passphrase again:Your identification has been saved in /home/hiroom2/.ssh/id_rsa.Your public key has been saved in /home/hiroom2/.ssh/id_rsa.pub.<snip>$ cat .ssh/id_rsa.pubssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ<snip>ooooWgJfN/LHp hiroom2@ubuntu-16

Change gerrit authentication to HTTP.

$ diff -uprN /etc/gerrit/gerrit.config{.org,}— /etc/gerrit/gerrit.config.org 2016-07-28 00:24:10.609299708 +0900+++ /etc/gerrit/gerrit.config 2016-07-28 00:24:24.629195859 +0900@@ -7,7 +7,7 @@ [index] type = LUCENE [auth]- type = DEVELOPMENT_BECOME_ANY_ACCOUNT+ type = HTTP [sendemail] smtpServer = localhost [sshd]

Restart gerrit.

$ sudo systemctl restart gerrit

Access to gerrit server with below URL.

http://<server>/gerrit

The dialog for digest authentication is displayed. Input username and password which are created with htdigest.

Register Fullname and SSH public key. You must use Fullname which is different from username. Unfortunatelly, email might cannot be registered via HTTP. email will be registered via SSH later.

Change gerrit authentication to DEVELOPMENT_BECOME_ANY_ACCOUNT.

$ diff -uprN /etc/gerrit/gerrit.config{.org,}— /etc/gerrit/gerrit.config.org 2016-07-28 00:37:43.171990767 +0900+++ /etc/gerrit/gerrit.config 2016-07-28 00:39:11.763461918 +0900@@ -7,7 +7,7 @@ [index] type = LUCENE [auth]- type = HTTP+ type = DEVELOPMENT_BECOME_ANY_ACCOUNT [sendemail] smtpServer = localhost [sshd]

Restart gerrit.

$ sudo systemctl restart gerrit

Reload browser and select “Switch Account” at the upper right.

Select Administrator.

Select “List Groups” of “People” at the upper.

Add user to Administrators group.

Change gerrit authentication to HTTP.

$ diff -uprN /etc/gerrit/gerrit.config{.org,}— /etc/gerrit/gerrit.config.org 2016-07-28 00:39:38.915300824 +0900+++ /etc/gerrit/gerrit.config 2016-07-28 00:40:21.187050856 +0900@@ -7,7 +7,7 @@ [index] type = LUCENE [auth]- type = DEVELOPMENT_BECOME_ANY_ACCOUNT+ type = HTTP [sendemail] smtpServer = localhost [sshd]

Restart gerrit.

$ sudo systemctl restart gerrit

Register email via SSH.

$ # ssh -p 29418 <server> gerrit set-account –add-email <mail> <user>$ # ssh -p 29418 <server> gerrit set-account –preferred-email <mail> <user>$ ssh -p 29418 ubuntu-16.04-gerrit.hiroom2.com gerrit set-account –add-email “[email protected]” hiroom2$ ssh -p 29418 ubuntu-16.04-gerrit.hiroom2.com gerrit set-account –preferred-email “hi[email protected]” hiroom2

This user can add the other user to Administrators group without switching HTTP and DEVELOPMENT_BECOME_ANY_ACCOUNT.

In case of HTTP user like commiter and reviewer is as below.

• Add username and password to digest authentication password file.
• Access to gerrit via HTTP with username and password and create user.
• Update user’s email via SSH

In case of Non-HTTP user like Jenkins is as below.

• Create user via SSH.

3 gerrit client configuration

Here will describe configuration for using gerrit server from client on Ubuntu 16.04.

3.1 no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

While gerrit will use diffie-hellman-group1-sha1, OpenSSH 7 client does not support old encryption including diffie-hellman-group1-sha1 by default. This will cause SSH connection error.

$ # OpenSSH 7 client$ ssh -p 29418 ubuntu-16.04-gerrit.hiroom2.com gerritUnable to negotiate with 192.168.11.86 port 29418: no matching keyexchange method found. Their offer: diffie-hellman-group1-sha1

For avoiding this issue, use the following alias in .bashrc.

alias ssh=’ssh -oKexAlgorithms=+diffie-hellman-group1-sha1′

You can also use the following configuration in .ssh/config.

$ cat .ssh/configHost ubuntu-16.04-gerrit.hiroom2.com KexAlgorithms +diffie-hellman-group1-sha1

3.2 Install git-review package

Install git-review package which is a tool for sending a patch to gerrit server.

$ sudo apt-get install -y git-review

4 Create new project

Create new project with the following SSH command. If you do not import existing repository to the project, you must use –empty-commit option.

ssh -p 29418 <server> gerrit create-project –empty-commit <name> –description “‘<desc>'”

Create new project which names new-project.

$ ssh -p 29418 ubuntu-16.04-gerrit.hiroom2.com gerrit create-project –empty-commit new-project.git –description “‘Create project from SSH command'”

git clone via HTTP.

$ git clone cd new-project

Create .gitreview which is configuration file for git-review. Please change host and project to your environment.

$ cat <<EOF > .gitreview[gerrit]host=ubuntu-16.04-gerrit.hiroom2.comport=29418project=new-projectdefaultbranch=masterEOF

Commit patch.

$ echo hello > hello.txt$ git add hello.txt$ git commit -m “Hello, World”

git log before git-review is as below.

$ git logcommit e2b5070e2cdc576a2e669366f85797ebfdc29b49Author: hiroom2 gerrit <hiroom2@ubuntu-16>Date: Thu Jul 28 05:29:51 2016 +0900 Hello, Worldcommit bc9d23cb95c8d94ae8e3544bac512c4210c7c443Author: hiroom2 gerrit <[email protected]>Date: Thu Jul 28 05:25:49 2016 +0900 Initial empty repository

git-reviewを実行します。

$ git review # or git review -RCreating a git remote called “gerrit” that maps to: ssh://[email protected]:29418/new-projectYour change was committed before the commit hook was installed.Amending the commit to add a gerrit change id.remote: Processing changes: new: 1, refs: 1, doneremote:remote: New Changes:remote: Hello, Worldremote:To ssh://[email protected]:29418/new-project * [new branch] HEAD -> refs/publish/master

git log after git-review is as below. “Change-ID:xxx” has been appended. The “Change-ID:xxx” is ID for managing the patch on gerrit server.

$ git logcommit 2fc75bd27f6bb323ad19a39b74c68b5faafac848Author: hiroom2 gerrit <hiroom2@ubuntu-16>Date: Thu Jul 28 05:29:51 2016 +0900 Hello, World Change-Id: I965523a134ac6bfaae91491bc7d53d153a93e3d2commit bc9d23cb95c8d94ae8e3544bac512c4210c7c443Author: hiroom2 gerrit <[email protected]>Date: Thu Jul 28 05:25:49 2016 +0900 Initial empty repository

This “Change-Id:xxx” is appended by .git/hooks/commit-msg which was downloaded when running git-review. If you have the other .git/hooks/commit-msg, git-review won’t download .git/hooks/commit-msg for gerrit and “Change-Id:xxx” will not appended. In this case, you need to download .git/hooks/commit-msg for gerrit via following URL.

$ # wget http://<server>/gerrit/tools/hooks/commit-msg$ wget mv commit-msg .git/hooks/commit-msg_gerrit

Rename existing .git/hooks/commit-msg to .git/hooks/commit-msg_xxx. Add the following .git/hooks/commit-msg which will call .git/hooks/commig_msg-xxx.

$ cat .git/hooks/commit-msg#!/bin/shfor script in `ls ${0}_*`; do echo “Running ${script}” ${script} $@ ret=$? if [ ${ret} -ne 0 ]; then echo “${script} is FAILED.” exit ${ret} fidone

Select “Open” of “All” at the upper. The patch by git-review is displayed.

Select patch and detail page is displayed. You can check patch on this page. Select “Abandon” if there is a problem, select “Code-Review+2” if there is no problem. This article will select “Code-Review+2”.

“Submit” will be enabled when value of “Code-Review” is +2. “Submit” will push the patch to repository.

5 Import existing repository to gerrit

Create project without –empty-commit option.

$ ssh -p 29418 ubuntu-16.04-gerrit.hiroom2.com gerrit create-project existing-project.git –description “‘Create existing project from SSH command'”

Create bare repository of existing repository.

$ git clone –bare <path-to-repo>/existing-project.git$ cd existing-project.git

Push bare repository to gerrit server via SSH.

$ git push ssh://ubuntu-16.04-gerrit.hiroom2.com:29418/existing-project.git *:*

After this, you can git clone via HTTP. The hash value is the same with existing repository.

$ git clone

6 Jenkins

Add Verified score in addition to Code-Review score and make Jenkins verified automatically. Adding Verified score will provides build and test result before code review. Submit can be done when Code-Review score is over than +2 and Verified score is over than + 1. This article will use existing-project which was used before.

6.1 Add Verified score

Code-Review score is defined by Code-Review label in project configuration. Define Verified label in All-Projects’s project configuration. All-Project is the base project for creating project.

Select “Open” of “All” menu and select All-Project.

Select “Edit Project Config”.

Project configuration is displayed.

Change project configuration with as below.

diff –git a/project.config b/project.configindex 2584f6b..919288d 100644— a/project.config+++ b/project.config@@ -28,6 +28,9 @@ label-Code-Review = -2..+2 group Administrators label-Code-Review = -2..+2 group Project Owners label-Code-Review = -1..+1 group Registered Users+ label-Verified = -1..+1 group Administrators+ label-Verified = -1..+1 group Project Owners+ label-Verified = -1..+1 group Registered Users submit = group Administrators submit = group Project Owners editTopicName = +force group Administrators@@ -40,6 +43,8 @@ push = group Project Owners label-Code-Review = -2..+2 group Administrators label-Code-Review = -2..+2 group Project Owners+ label-Verified = -1..+1 group Administrators+ label-V
erified = -1..+1 group Project Owners submit = group Administrators submit = group Project Owners [access “refs/tags/*”]@@ -57,3 +62,8 @@ value = 0 No score value = +1 Looks good to me, but someone else must approve value = +2 Looks good to me, approved+[label “Verified”]+ function = MaxWithBlock+ value = -1 Fails+ value = 0 No score+ value = +1 Verified

Select “Publish Edit”, “Publish”, “Code-Review+2”, “Submit”. Change is applied.

6.2 Add jenkins user to gerrit

Create Jenkins’s SSH public key on Jenkins server.

$ sudo su – jenkins$ ssh-keygen -t rsaGenerating public/private rsa key pair.Enter file in which to save the key (/var/lib/jenkins/.ssh/id_rsa):Enter passphrase (empty for no passphrase):Enter same passphrase again:Your identification has been saved in /var/lib/jenkins/.ssh/id_rsa.Your public key has been saved in /var/lib/jenkins/.ssh/id_rsa.pub.<snip>

Add jenkins user to gerrit with admin user. Register Jenkins’s SSH public key.

$ cat id_rsa.pub | ssh -p 29418 ubuntu-16.04-gerrit.hiroom2.com gerrit create-account –ssh-key – –group “‘Administrators'” –full-name “‘jenkins gerrit'” –email “‘[email protected]'” jenkins

6.3 Jenkins’s Gerrit Trigger Plugin

Gerrit Trigger Plugin run test on Jenkins via git-review and update Verified score to gerrit. Install Gerrit Trigger Plugin in Jenkins’s Plugin Manager.

Open Gerit Trigger Plugin configuration.

Manage Jenkins -> Gerrit Trigger

Input gerrit server.

Set gerrit server hostname to “Hostname”, gerrit server URL to “Frontend URL” and jenkins to “Username”.

http://<server>/gerrit # Frontend URL

You can check connection with “Test Connection”. Save this configuration.

Click status of appended gerrit server. It will be blue from red.

Create new project with “New Item”.

This article will use “Freestyle project”.

Select “git” at “Source Code Management”.

• Set gerrit project repository URL to “Repository URL”.
• Click “Advanced” and set $GERRIT_REFSPEC to “Refspec”.
• Click “Add Branch” and $GERRIT_MASTER to “Branch Specifier”.

Check “Gerrit event” at “Build Triggers”.

• Set gerrit server to “Choose a Server”. This gerrit server was appended in Gerrit Trigger Plugin configuration.
• Append “Patchset Created” and “Draft Published” to “Trigger on”.
• Set “Plain” to “Type” and gerrit project name to Pattern in “Gerrit Project”.
• Set “Path” to “Type” and “**” to “Pattern” in “Gerrit Project’s Branches”.

6.4 Excecution result

Clone existing-project from gerrit server.

$ git clone cd existing-project

Append .gitreview for existing-project.

$ cat <<EOF > .gitreview[gerrit]host=ubuntu-16.04-gerrit.hiroom2.comport=29418project=existing-projectdefaultbranch=masterEOF

Create new file and commit it.

$ echo hello > hello.txt$ git add hello.txt$ git commit -m “Hello, World”

Send patchset to gerrit server with git-review.

$ git review -RCreating a git remote called “gerrit” that maps to: ssh://[email protected]:29418/existing-projectYour change was committed before the commit hook was installed.Amending the commit to add a gerrit change id.remote: Processing changes: new: 1, refs: 1, doneremote:remote: New Changes:remote: Hello, Worldremote:To ssh://[email protected]:29418/existing-project * [new branch] HEAD -> refs/publish/master

Build history has a new build which was triggered by gerrit.

Verified score is updated by Jenkins on gerrit server. After Code-Review score is +2, it can submit.